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Agenda 


|. Cybersecurity Fortification Initiative (CFI): 
» [he goals to be achieved 


|. The Cyber Resilience Assessment Framework (C-RAF) 


» Step 1: inherent risk assessment 
» Step 2: maturity assessment 
» Step 3: roadmap for improvement 


III. Intelligence-led Cyber Attack Simulation Testing (ICAST): 


> А пеи testing framework 


IV. Conclusions 
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I. CFI - the goals to be achieved 


(I) Adopt a more comprehensive approach for looking at cyber 
risks 


OK, we know your front 
door Is very secure... 





an 
...Dut what about your backyard? 
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I. CFI - the goals to be achieved 
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(п) Provide a more structured framework for assessing cyber 
resilience 


Banks’ assessment, taking into 
account the HKMA’s regulatory 
principles, is normally based on 
their own experience, knowledge 
and internal programme 


Difficulty in benchmarking 


Need for a  well-structured 
assessment framework that can 
be consistently applied in the 
banking sector 


Threat intelligence will be taken 
into account; information will be 
gathered for analysis 
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I. CFI - the goals to be achieved 
(III) Provide more focused training for cybersecurity professionals 


m Shortage of cybersecurity 
professionals in the market 


= Potential tech talent pool awaiting 
to be harnessed 


= The HKMA to work with the 
industry to grow the talent pool of 
cybersecurity professionals I 
Hong Kong 





II. Cyber Resillence Assessment Framework (C-RAF) 
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Il. Cyber Resilience Assessment Framework (C-RAF) 


Step 1: Inherent risk assessment 


To determine the inherent 
riskiness of an institution 


Factors to be considered include 
technologies and delivery 
channels adopted, activities, 
products, Services, 
Infrastructures, operating 
environment, both individually 
and collectively 


m A inherent risk rating ("high", 


"medium" and “ом”) is assigned 
based on the assessment 
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Technologies 
Delivery channels 


Products and technology services 


Organisational characteristics 





Track records on cyber threats 





Inherent risk levels 

















Il. Cyber Resilience Assessment Framework (C-RAF) 
Step 1: Inherent risk assessment (con't) 


Each "inherent risk level" is mapped to an expected "maturity level" of cyber resilience. 


Inherent risk levels Expected maturity levels 





m Advanced 





Low => 


AY YE 4 HR BE 


Il. Cyber Resilience Assessment Framework (C-RAF) 
Step 2: Maturity assessment (In seven domains) 
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Third Party Risk SO 
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II. Cyber Resillence Assessment Framework (C-RAF) 
Step 3: Roadmap for improvement 


m [he outcomes of the two steps (I.e. inherent risk 
assessment, and maturity assessment) are compared 


m Possible gaps can then be identified between the expected 
level of resilience (from inherent risk assessment) and the 
actual level of resilience (from maturity assessment) 


m |f gaps exist, a roadmap for improvement 1$ required to 
bring Its maturity level up to its expected level 
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Ш. Intelligence-led Cyber Attack Simulation Testing 
(ICAST) 


To be performed by banks with‏ א 
"medium" or "high" inherent risk ratings‏ 


\ 5 


₪ “Test scenarios" will feature: 
O Story lines 
[1 Test goals 


о Information from cyber threat 
intelligence 





mg While traditional penetration testing 
usually focuses on technical 
assessment (i.e. effectiveness ої 
infrastructure, hardware and application 
protection), ICAST extends testing 
coverage to the "people" and "process" 
elements 
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IV. Conclusions 


m [he new cybersecurity initiative 1$ underpinned by a well- 
structured assessment framework for 
[] assessing banks' inherent risks 
LI assessing banks’ maturity levels, and 
[1 helping banks reach the appropriate maturity level of cyber resilience 


m industry consultation on the assessment framework will start 
next week. We look forward to hearing your views so as to 
ensure that the framework is as robust and effective as It 
should be. 
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Thank you. 


13 


